Hackers distribute Windows 10 using torrents that hide cryptocurrency hackers in the Extensible Firmware Interface (EFI) partition to evade detection.
THE EFI bulkhead is a small system partition containing the bootloader and related files that run before the operating system boots. It is essential for UEFI powered systems replacing the now obsolete BIOS.
There have been attacks using modified EFI partitions to activate malware outside the context of the operating system and its defense tools, as in the case of Black Lotus. However, pirated Windows 10 ISOs discovered by Dr. Web researchers just use EFI as a safe storage space for mower components.
Since standard antivirus tools generally do not scan the EFI partition, the malware can potentially bypass malware detections.
The Dr. Web report explains that malicious versions of Windows 10 hide the following applications in the system directory:
- \Windows\Installer\iscsicli.exe (dropper)
- \Windows\Installer\recovery.exe (injector)
- \Windows\Installer\kd_08_5e78.dll (clipper)
When the operating system is installed using the ISO, a scheduled task is created to launch a dropper named iscsicli.exe, which mounts the EFI partition as the “M:\” drive. Once mounted, the dropper copies the other two files, recovery.exe and kd_08_5e78.dll, to the C:\ drive.
Recovery.exe is then launched, which injects the clipper malware DLL into the legitimate system process %WINDIR%\System32\Lsaiso.exe via process mining.
After being injected, the clipper will check if the file C:\Windows\INF\scunown.inf exists or if any scanning tools are running, such as Process Explorer, Task Manager, Process Monitor, ProcessHacker, etc. .
If detected, the clipper will not replace crypto wallet addresses to evade detection by security researchers.
Once the clipper is running, it will monitor the system clipboard for cryptocurrency wallet addresses. If found, they are replaced on the fly with addresses under the attacker’s control.
This allows threat actors to redirect payments to their accounts, which Dr. Web claims earned them at least $19,000 worth of cryptocurrency on the wallet addresses researchers were able to identify.
These addresses were taken from the following Windows ISO shared on torrent sites, but Dr. Web warns that there may be more:
- Windows 10 Pro 22H2 19045.2728 + Office 2021 x64 by BoJlIIIebnik RU.iso
- Windows 10 Pro 22H2 19045.2846 + Office 2021 x64 by BoJlIIIebnik RU.iso
- Windows 10 Pro 22H2 19045.2846 x64 by BoJlIIIebnik RU.iso
- Windows 10 Pro 22H2 19045.2913 + Office 2021 x64 by BoJlIIIebnik [RU, EN].iso
- Windows 10 Professional 22H2 19045.2913 x64 by BoJlIIIebnik [RU, EN].iso
Downloads of pirated operating systems should be avoided as they can be dangerous, as those who create the unofficial versions can easily hide persistent malware.